Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Isc Discussions
exam questions

Exam CISSP All Questions

View all questions & answers for the CISSP exam
Go to Exam

Exam CISSP topic 1 question 323 discussion

Actual exam question from ISC's CISSP
Question #: 323
Topic #: 1
[All CISSP Questions]

An organization plans to acquire a commercial off-the-shelf (COTS) system to replace their aging home-built reporting system. When should the organization's security team FIRST get involved in this acquisition's life cycle?

  • A. When the system is verified and validated
  • B. When the need for a system is expressed and the purpose of the system is documented
  • C. When the system is deployed into production
  • D. When the system is being designed, purchased, programmed, developed, or otherwise constructed
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Vino22 at Oct. 11, 2022, 3:44 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Logan3003
Highly Voted 2 years, 1 month ago
given answer is correct. security has to get involved to complete the ESR (external security review) before even considering bringing in the application to the organisation. then the new application has to go through an application security review where validation and verification happen. once the application security review completed, it can go for a proof of concept (PoC) OR to the production depends on the organisation plan.
upvoted 6 times
jackdryan
1 year, 6 months ago
B is correct
upvoted 1 times
...
...
Soleandheel
Most Recent 11 months, 2 weeks ago
B. When the need for a system is expressed and the purpose of the system is documented. It's crucial for the security team to be involved from the early stages of the acquisition process to ensure that security requirements are considered and integrated into the system's design and procurement. Waiting until the system is already in production (option C) or at later stages may lead to security issues being overlooked or inadequately addressed.
upvoted 1 times
...
HughJassole
1 year, 4 months ago
D. B is only when someone says they would like software that does so and so. That's purely business. Security gets in from the beginning, but beginning of the actual application, not just talk about an application. D is the answer that makes the most sense. I am a Linux admin and in the past infosec has come to us with products to evaluate. So the need for a product was declared by business, Infosec was now in the stage of evaluating products that will fulfill the need. B is just too early.
upvoted 2 times
...
Humongous1593
2 years, 1 month ago
Selected Answer: B
Security should be involved in the very beginning stages of the purchase. Same with in house development, security right away.
upvoted 4 times
...
ccmmaa
2 years, 1 month ago
A, For COTS, while the organization may not be responsible for code-level security, it does not have an easy way to verify that it was done right, and the organization is the loser if there is a problem. https://www.cisa.gov/uscert/bsi/articles/best-practices/legacy-systems/security-considerations-in-managing-cots-software
upvoted 1 times
...
Vino22
2 years, 1 month ago
D sounds more complete. Please share thoughts.
upvoted 3 times
franbarpro
2 years, 1 month ago
The question says - when the security team should FIRST get involve? AND this is not a software they are developing in house. So, I'll go with "B"
upvoted 2 times
vinaysingh16
1 year ago
even in the case of Commercial Off-The-Shelf (COTS) applications, it's advisable to involve the security team during the early phases of the acquisition process. While COTS applications are pre-built and not developed in-house, security considerations are still crucial. The security team should assess the security features and potential vulnerabilities of the COTS software, ensure it aligns with the organization's security policies, and consider any necessary configurations or additional security measures. By involving the security team early, you can make more informed decisions and ensure that security is a priority throughout the acquisition process.
upvoted 1 times
...
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel